Privacy Policy

Legal AI ("we", "us") is the data controller for your personal data. We provide AI-assisted legal defense services to Greek lawyers through the platform lawyerai.online. For questions about your data, contact us: privacy@lawyerai.online

We collect the following categories of personal data: • Account data: Full name, email, Bar Association ID (AM), language preference • Case data: Court case text or document (anonymized before AI processing) • Payment data: Transaction records (amount, credits). Card details are NOT stored — payment is processed via Stripe • Usage data: Analysis records, credits, AI token usage • Technical data: IP address (at login), user agent (at consent)

We process your data based on: • Consent (Article 6(1)(a) GDPR): You explicitly accept this policy when creating an account • Contract performance (Article 6(1)(b) GDPR): Processing is necessary to provide the service (case analysis, law retrieval, defense argument generation) • Legal obligation (Article 6(1)(c) GDPR): Transaction record retention per Greek tax law (5 years) • Legitimate interest (Article 6(1)(f) GDPR): System security and abuse prevention

We apply a dual anonymization system before your data reaches any AI model: 1. Custom preprocessing: Detection of Greek-specific PII patterns (email, phone numbers, tax IDs, social security IDs, passports) via regex 2. Google Cloud DLP: Professional de-identification service for names, phone numbers, emails, and addresses Your data is anonymized BEFORE it is sent to the AI model. Original data is restored only in the final output that you see.

We use the following third-party providers: • Google Cloud Platform: Cloud DLP (PII anonymization, europe-west1 EU), Document AI (PDF text extraction, europe-west1 EU), Cloud Run (hosting, europe-west1 EU), Vertex AI Embeddings (embedding generation, europe-west1 EU) • Google Gemini API (global endpoint): Defense argument generation. The Gemini 3 Flash model is only available on the global endpoint. Data is fully anonymized before transfer. Covered by Google Cloud Terms of Service and Data Processing Addendum (DPA). • Firebase (Google, EU): Authentication, Firestore (database) • Stripe (US, with EU SCCs): Payment processing • Tavily (US, with EU SCCs): Legal content web search • Resend (US, with EU SCCs): Email notifications All sub-processors are bound by EU Standard Contractual Clauses (SCCs) or equivalent safeguards. Last updated: 2026-02-25. To request a Data Processing Agreement (DPA), contact: privacy@lawyerai.online

• Case analyses: 24 months — then automatically deleted • Transaction records: 60 months (5 years) — required by Greek tax law • Account data: Until you delete your account • Consent records: Until you delete your account (required as proof of consent)

Under the GDPR, you have the following rights: • Right of access (Article 15): Get a copy of all your data — via Settings → "Download My Data" • Right to rectification (Article 16): Update your name and Bar ID via Settings • Right to erasure (Article 17): Permanently delete your account and all data — via Settings → "Delete Account" • Right to data portability (Article 20): Export your data in JSON format • Right to object (Article 21): Contact us at privacy@lawyerai.online • Right to lodge a complaint: Hellenic Data Protection Authority (HDPA), www.dpa.gr

We use a single cookie: • __session: Strictly necessary authentication cookie. Contains your encrypted login token. Flags: Secure, SameSite=Strict. We do not use tracking, analytics, or advertising cookies.

Your data is stored and processed as follows: • Storage & database: Google Cloud europe-west1 (Belgium, EU) • Embeddings: Vertex AI europe-west1 (EU) • AI generation: Google Gemini API global endpoint — data is fully anonymized before transfer, covered by Google Cloud DPA • Payments: Stripe (US, with EU SCCs) • Legal search: Tavily (US, with EU SCCs) For services outside the EU, European Commission Standard Contractual Clauses (SCCs) are applied in accordance with Article 46(2)(c) GDPR.

We implement appropriate technical and organizational measures: • Encryption in transit (HTTPS/TLS) • Secure cookies with Secure and SameSite flags • Firebase Authentication with token verification on every request • Two-layer PII anonymization before AI processing • Role-based access control • Admin action audit logging

Legal cases may contain sensitive data such as health data, criminal history, or disability information. We take the following measures: • All case data is anonymized via Cloud DLP before transfer to the AI model • The legal basis for processing sensitive data is your explicit consent (Article 9(2)(a) GDPR) • By submitting a case containing sensitive data, you consent to its processing • As a lawyer, you are responsible for informing your clients about the use of AI in their case

In the event of a personal data breach: • We will notify the Hellenic Data Protection Authority (HDPA) within 72 hours (Article 33 GDPR) • We will notify affected users without undue delay if the breach is likely to put their rights at risk (Article 34 GDPR) • We maintain a breach register with details, impact, and remedial measures taken • Notification will include: nature of breach, data affected, remedial actions taken

You have the right to withdraw your consent at any time (Article 7(3) GDPR): • Via Settings → "Manage Consents" you can withdraw consent for analytics and functional cookies • Withdrawal does not affect the lawfulness of processing prior to withdrawal • The authentication cookie (__session) is strictly necessary — it cannot be disabled while using the service

We may update this policy. For material changes: • We will increment the policy version number • You will be asked to re-accept before continuing to use the service • Dashboard access will be blocked until you accept the new version